Hello
I'm looking at updating freeimage from 3.10 to 3.17, also to resolve
CVE-2015-0852, and I'm wondering how to deal with the following situation:
- The package ships two libraries, libfreeimage (C API) and
libfreeimageplus (C++ wrapper)
- abi_compliance_checker reports that compatibility was not broken
between libfreeimage of 3.10 and 3.17. However, in libfreeimageplus,
various function signatures have changed due to switching from WORD (aka
unsigned short) to unsigned for various size related parameters. The
soname was not changed, so this is an upstream error.
So, I see the following options:
- Contact upstream and wait for them to resolve the issue. Could take
some time
- Patch the C++ API to restore compatibility with 3.10 (i.e. change
unsigned back to WORD) as a short-term solution, contact upstream and
notify them about the issue.
- Nothing in Fedora seems to require libfreeimageplus, so just build
3.17 in rawhide and F23 and have the libfreeimageplus ABI break silently
sneak in. Probably shouldn't even mention this option.
- Change library versioning from using libfreeimage{plus}.MAJOR to
libfreeimage-%{version} (i.e. as in libtool -release vs -version-info),
requiring rebuilds whenever freeimage is updated.
I'm leaning towards the second option. Other opinions?
Thanks,
Sandro
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
